Memory Workflow Security Report — Suspicious | ClawSafe

55 /100

Memory Workflow

三层存储记忆工作流，支持文件/FTS5/KG/Milvus搜索

Memory workflow skill has undeclared network exfiltration behavior: user memory content is sent to an external Ollama LLM service (scripts/store.py:extract_triples_via_llm) without disclosure in SKILL.md, combined with hardcoded Docker bridge IPs as service endpoints.

Skill NameMemory Workflow

Duration67.3s

Enginepi

⚠

Use with caution

Either (1) document the Ollama LLM call and data transmission in SKILL.md, or (2) remove the external LLM dependency and rely solely on rule-based extraction. Consider making service endpoints configurable via environment variables with explicit user consent.

Attack Chain 4 steps

◎

Entry User stores memory content via MemoryStore tool

scripts/store.py:110

⬡

Escalation store_memory() calls extract_triples_via_llm() with user content

scripts/store.py:130

◉

Impact Content POSTed to OLLAMA_URL (default: host.docker.internal:11434) for LLM processing — exfiltrated outside skill sandbox

scripts/store.py:94

◉

Impact get_embedding() sends same content to EMBEDDING_URL (default: 172.17.0.1:18779)

scripts/store.py:170

Findings 6 items

Severity	Finding	Location
High	Undeclared LLM data transmission Data Exfil extract_triples_via_llm() in store.py sends user memory content to an external Ollama LLM endpoint (OLLAMA_URL, defaulting to host.docker.internal:11434) for entity/relation extraction. This external network call is not declared anywhere in SKILL.md, which only mentions 'Ollama (可选)' as a KG dependency without explaining that user content is transmitted. `req = Request(OLLAMA_URL + "/api/chat", data=data, headers={"Content-Type": "application/json"})` → Add explicit documentation in SKILL.md stating that user memory content may be sent to a user-configured Ollama endpoint for knowledge graph extraction. Alternatively, remove this feature and rely on rule-based extraction only.	`scripts/store.py:94`
High	SKILL.md hides external service dependencies Doc Mismatch SKILL.md claims '三层存储架构' with file + FTS5 + KG + Milvus, but omits that KG extraction and embedding both require external HTTP calls. The embedding call to bge-m3 at 172.17.0.1:18779 sends all stored content over the network. `## 三层存储架构 \| 层级 \| 存储位置 \| 依赖 \| 说明 \| \|------\|----------\|------\|------\| \| KG \| ... \| Ollama（可选） \| 三元组知识图谱，规则降级 \|` → Document that Ollama and embedding services are external dependencies that receive user data over HTTP.	`SKILL.md:1`
High	Hardcoded Docker bridge IP addresses as default service endpoints Sensitive Access config.py hardcodes 172.17.0.1 (the default Docker bridge gateway) as the default endpoint for rerank (18778) and embedding (18779) services. This is a suspicious default target as it enables exfiltration to the Docker host if those ports are open, without requiring explicit user configuration. `RERANK_SERVICE_URL = os.environ.get("RERANK_SERVICE_URL", "http://172.17.0.1:18778")` → Remove hardcoded IPs as defaults. Default to localhost or a service unavailable message, requiring explicit configuration for network services.	`scripts/config.py:12`
Medium	Embedding API call sends all content to external service Data Exfil get_embedding() in store.py POSTs all user memory content to EMBEDDING_URL (defaulting to http://172.17.0.1:18779/v1/embeddings) for vectorization before Milvus storage. This network call is not declared in the tool descriptions. `req = Request(EMBEDDING_URL, data=data, headers={"Content-Type": "application/json"})` → Document the embedding API call in SKILL.md or remove the embedding feature, relying on FTS5 only.	`scripts/store.py:170`
Medium	Undeclared shell execution via subprocess Priv Escalation BaseMemoryTool._run_op() uses subprocess.run() to execute memory_ops.py with arbitrary command arguments. This shell execution pattern is not declared in SKILL.md — only the tool names and descriptions are listed. Additionally, save_session.py independently uses subprocess without being exposed as a declared tool. `result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, ...)` → Document that tools use subprocess internally, or refactor to import modules directly without shell invocation.	`scripts/tools.py:48`
Low	SKILL.md installation modifies AGENTS.md with shell commands Doc Mismatch SKILL.md instructs users to add bash command blocks to ~/.openclaw/workspace/AGENTS.md that pipe heredocs into python3 scripts. This is an unusual installation pattern that injects shell execution instructions into agent configuration. `Exec: python3 $HOME/.openclaw/workspace/skills/memory-workflow/memory_ops.py search --query ...` → Use a standard registration mechanism (e.g., a Python setup function) instead of modifying AGENTS.md with shell command strings.	`SKILL.md:12`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/store.py: writes to ~/.openclaw/workspace/memory-workflow-data/
Network	`NONE`	`WRITE`	✗ Violation	scripts/store.py:94 — sends content to OLLAMA_URL via urllib; scripts/store.py:1…
Shell	`NONE`	`WRITE`	✗ Violation	scripts/tools.py:48 — subprocess.run executes memory_ops.py; scripts/save_sessio…
Environment	`READ`	`READ`	✓ Aligned	scripts/config.py:14-17, store.py:32-34 — reads OLLAMA_URL, MILVUS_HOST, etc.
Skill Invoke	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares 6 tool interfaces

1 High 4 findings

📡

High IP Address 硬编码 IP 地址

172.17.0.1

scripts/config.py:12

🔗

Medium External URL 外部 URL

http://172.17.0.1:18778

scripts/config.py:12

🔗

Medium External URL 外部 URL

http://172.17.0.1:18779/v1/embeddings

scripts/store.py:33

🔗

Medium External URL 外部 URL

http://host.docker.internal:11434

scripts/store.py:37

File Tree

9 files · 50.3 KB · 1648 lines

Python 7f · 1492L Markdown 2f · 156L

├─ ▾ 📁 scripts

│ ├─ 🐍 config.py Python 24L · 696 B

│ ├─ 🐍 fts5.py Python 228L · 6.6 KB

│ ├─ 🐍 save_session.py Python 57L · 1.6 KB

│ ├─ 🐍 search.py Python 186L · 5.4 KB

│ ├─ 🐍 store.py Python 370L · 11.9 KB

│ └─ 🐍 tools.py Python 250L · 7.7 KB

├─ 🐍 memory_ops.py Python 377L · 11.4 KB

├─ 📝 README.md Markdown 38L · 958 B

└─ 📝 SKILL.md Markdown 118L · 4.2 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`pymilvus`	`unpinned`	pip	No	Used for Milvus vector storage, imported conditionally
`jieba`	`unpinned`	pip	No	Chinese segmentation, imported conditionally
`urllib.request`	`stdlib`	Python	No	Used for HTTP calls to Ollama and embedding API

Security Positives

✓ No credential theft indicators — skill does not access ~/.ssh, ~/.aws, or .env files

✓ No obfuscation detected — no base64-encoded strings or anti-analysis patterns

✓ No reverse shell or C2 infrastructure — no suspicious outbound connections beyond documented API calls

✓ File operations are scoped to a dedicated memory data directory (~/.openclaw/workspace/memory-workflow-data/)

✓ Version pinning available for external dependencies (pymilvus in requirements would show versions)

✓ FTS5 and file storage work without external dependencies, matching documentation

Scan Report

Attack Chain 4 steps

Findings 6 items

File Tree

Dependencies 3 items

Security Positives